Title: Forensic Analysis of a Database Attack Josh Shaul Office of the CTO joshappsecinc.com
1Forensic Analysis of a Database AttackJosh
ShaulOffice of the CTOjosh_at_appsecinc.com
2This Sessions Agenda
- Introduction
- Landscape
- Database Vulnerabilities Are The New Front-Lines
- Attacking Where the Data Resides
- Planning an Attack
- Attacking Database Vulnerabilities
- Available Best Practices and Resources
- Database Forensics
- Securing Your Databases
- Resources for Further Advice and Research
2
3Old Data Processing Environment
3
4New Data Processing Requirement
- Increasingly Focused Attacks
- Directly on applications (75!)
- Including insiders (80!)
- As perimeter crumbles
- Demand for Pervasive Access
- By anyone
- To any application
- Increasingly direct
- Compliance Requirements
- Info ultimately in Db apps
- Privacy / confidentiality
- Integrity
- Compliance must be
- Repeatable
- Demonstrable
4
5Databases Are Under Attack
- February 2005 to April 2008
- Total Affected Customers 226,784,583
- Literally hundreds of incidents
- Victims include financial institutions,
government agencies, retailers, healthcare
providers, universities, manufacturing,
consulting and audit firms, . - Incidents reported almost every day
- Last week alone, 8 incident affected nearly 1M
records
http//www.privacyrights.org/ar/ChronDataBreaches.
htm
5
6Recent Incidents
6
7Database Vulnerabilities
8Established Vulnerability Categories
- Most commonly known to apply to OSs and NOSs
8
9Categories Also Apply to Databases!
- Databases are a separate attack vector!
9
10Database VulnerabilitiesDefault Weak Passwords
- Databases have their own user accounts and
passwords
10
11Database VulnerabilitiesDefault and Weak
Passwords
- Oracle Defaults (hundreds of them)
- User Account internal / Password oracle
- User Account system / Password manager
- User Account sys / Password change_on_install
- User Account dbsnmp / Password dbsnmp
- MySQL Defaults
- User Account root / Password null
- User Account admin / Password admin
- User Account myusername / Password mypassword
- Sybase Defaults
- User Account SA / Password null
- Microsoft SQL Server Defaults
- User Account SA / Password null
11
12Database VulnerabilitiesDefault and Weak
Passwords
- It is important that you have all of the proper
safeguards against password crackers because - Not all databases have Account Lockout
- Database Login activity is seldom monitored
- Scripts and Tools for exploiting weak
identification control mechanisms and default
passwords are widely available
12
13Database VulnerabilitiesDenial of Services
(DoS) Buffer Overflows
- Databases have their own DoSs Buffer Overflows
13
14Denial of ServicesDatabases Have Their Own DoS
Attacks
- Result in the database crashing or failing to
respond to connect requests or SQL Queries. - Significant Database Denial of Services
- Oracle8i NSPTCN data offset DoS
- Oracle9i SNMP DoS
- Microsoft SQL Server Resolution Service DoS
- IBM DB2 Date/Varchar DoS
14
15Buffer OverflowsDatabases Have Their Own Buffer
Overflows
- Result in an unauthorized user causing the
application to perform an action the application
was not intended to perform. - Can allow arbitrary commands to be executed
- No matter how strongly youve set passwords and
other authentication features. - Significant Database Buffer Overflows
- Oracle9i TZ_OFFSET buffer overflow
- Microsoft pwdencrypt buffer overflow /
Resolution Stack Overflow - Sybase xp_freedll buffer overflow
15
16Misconfigurations Resource Privilege
Management Issues
- Misconfigurations can make a database vulnerable
16
17Misconfigurations Resource PrivilegesMisconfigu
rations Can Make a Database Vulnerable
- Oracle
- External Procedure Service
- Default HTTP Applications
- Privilege to Execute UTL_FILE
- Microsoft SQL Server
- Standard SQL Server Authentication Allowed
- Permissions granted on xp_cmdshell
- Sybase
- Permission granted on xp_cmdshell
- IBM DB2
- CREATE_NOT_FENCED privilege granted (allows
logins to create SPs) - MySQL
- Permissions on User Table (mysql.user)
17
18Database Vulnerabilities Wrap-up
18
19Emerging Database Threats for 2008
- Sophisticated attacks that exploit un-patched
vulnerabilities - Cyber espionage efforts by well resourced
organizations looking to extract large amounts of
data - Insider attacks
- Insider mistakes
- Advanced identity theft via database rootkits
- Increasingly sophisticated social engineering
leading to full-blown database disclosures - Weak or non-existent audit controls
- Powerful self-propagating attacks distributed via
infection kits on legitimate websites
19
20Database Attack Illustrations
21Planning an Attack
- Create a Map
- What does the network look like?
- Reconnoiter
- Collect information about the layout of the
target - What looks intereting?
- Probe, Progress, Plot
- What can we do?
- Build the springboard for further activity
- Plan the strike
- Retreat and Re-attack
21
22Directly Attacking a DatabaseMicrosoft SQL
Server (Resolution Stack Overflow)
- Attack Target Microsoft SQL Server
- Privilege Level Network Connection to Target
- Outcome Administrative Control of Host Operating
System - Vulnerabilities Exploited
- Buffer Overflows
22
23Discover the Database
23
24Discover the Database
24
25Attack Scenario Recap (Map Recon)
25
26Attack Scenario Recap
- Now What?
- Start Probing and Exploring the Possibilities
- Exploit Code is Available Over the Web
- Microsoft SQL Server Resolution Stack Overflow
- Payload Create a remote control shell
- Will only work if they did not patch with Service
Pack 3 but well see
26
27Start Netcat
Port to Listen On
Listen
27
28Execute Compiled Exploit Code
28
29Execute Compiled Exploit Code
29
30Execute Compiled Exploit Code
Intruder Machine IP
30
31Execute Compiled Exploit Code
Port Number
31
32Execute Compiled Exploit Code
Service Pack Indicator
32
33Execute Compiled Exploit Code
33
34Attack Scenario Recap
34
35Directly Attacking a Database RecapMicrosoft SQL
Server (Resolution Stack Overflow)
- Outcome Complete Administrative Control of Host
Operating System - Vulnerabilities Exploited
- Buffer Overflows
- How did we do it? Freely Available Exploit Code!
- Microsoft SQL Server Remote Stack Overflow
35
36Directly Attacking A DatabaseOracle (DB18
Exploit)
- Attack Target All Oracle Databases
- Privilege Level Anyone with a Login
- Examples SCOTT / TIGER or Guest Account
- Outcome Complete Administrative Control!
- Vulnerabilities Exploited
- Bug in the Oracle Login Protocol
36
37Directly Attacking A DatabaseOracle (DB18
Exploit)
- Check Out the Following Website
- http//www.adp-gmbh.ch/blog/2006/01/24.php
- Whats on this website? Perl scripts that can be
used to do all of the following - Proxy a connection
- Create an account
- Escalate the privileges of that account to DBA
37
38Directly Attacking A DatabaseOracle (DB18
Exploit)
- Proxy a Connection
- Setup the Proxy
- http//www.adp-gmbh.ch/perl/proxy.htmlpackage
38
39Directly Attacking A DatabaseOracle (DB18
Exploit)
- Proxy a Connection
- Edit the local tnsnames.ora file on the client
- http//www.adp-gmbh.ch/blog/2006/01/24.php
- Update to point communications to the port where
the proxy is going to live on (1234)
Before
After
39
40Directly Attacking A DatabaseOracle (DB18
Exploit)
- globi is the database server being attacked
- Creates a listening socket on port 1234 within
the localhost
- Accepts the packet and searches in it for the
string its looking to replace - ALTER SESSION SET NLS_LANGUAGE
- Replacing the ALTER USER with the malicious SQL
40
41Attacking A Database (DB18 Exploit)
41
42Directly Attacking A DatabaseOracle (DB18
Exploit)
- So Far
- Verified who are the DBAs (Database
Administrators) within the database - What Now?
- Start the proxy that we built using the Perl
Script on our client machine - Create a new account evil_user
42
43Attacking A Database (DB18 Exploit)
43
44Directly Attacking A DatabaseOracle (DB18
Exploit)
- So Far
- Proxy is waiting for any login to execute
creating the evil_user account - What Now?
- Login with account scott and password tiger
44
45Attacking A Database (DB18 Exploit)
45
46Attacking A Database (DB18 Exploit)
46
47Directly Attacking A DatabaseOracle (DB18
Exploit)
- So Far
- We created the evil_user account
- Whats next?
- Setup the proxy again so that it will establish
evil_user as a DBA (Database Administrator)
47
48Attacking A Database (DB18 Exploit)
48
49Attacking A Database (DB18 Exploit)
49
50Attacking A Database (DB18 Exploit)
50
51Attacking A Database (DB18 Exploit)
51
52Directly Attacking A Database RecapOracle (DB18
Exploit)
- Outcome Complete Administrative Control!
- Vulnerabilities Exploited
- Bug in the Oracle Login Protocol
- How did we do it? Freely Available Exploit Code!
- Just lookup Oracle DB18 Exploit
52
53Attacking Databases Over the InternetExploiting
Search Engines (Google)
- Attack Target Oracle
- Privilege Level Anyone with Access to the Web
and a Search Engine - Outcome Complete Administrative Control
- Vulnerabilities Exploited
- Misconfigurations Resource Privilege Management
53
54How is Google used for attacks?
- First thing an attacker needs is information
- Where to attack
- What a site is vulnerable to
- Google is a large repository of information
- Every web page in your application
- Every domain on the Internet
- Google provides an attacker
- Ability to search for attack points on the
Internet - Ability to search for an attack point in a
specific website - Ability to look for specific URLs or files
54
55Example looking for iSQLPlus
- Oracle HTTP Servers
- Execute queries on database using an HTTP form
- Accessed using the URL /isqlplus
- By default runs on any Oracle HTTP server
installed with - Oracle Applications Server
- Oracle Database Server
- Search can be performed on Google
- looking for Oracle HTTP servers
- Using the allinurl advanced search feature
55
56Using Google Advanced Search
56
57Results of Google Advanced Search
57
58Yahoo! Advanced Search Works Too..
58
59Default username/password
59
60Attacker is in the database
60
61Attacker can execute any query
61
62Attacking Databases Over the Internet
RecapExploiting Search Engines (Google)
- Outcome First step towards administrative
control! - Vulnerabilities Exploited
- Misconfigurations Resource Privilege Management
- How did we do it?
- Googled for isql and took advantage of poor
security practices!
62
63Available Best Practices and Resources
64What To Look For If You Suspect An Attack
- Attacks typically require multiple tries
- Look for evidence of trial or error
- Normalize all you data
- Find what is typical and then eliminate that
- Look through what is not typical
- Typically find clusters of errors reflecting an
attack - Narrow down time period attack most likely
occurred - Focus in on event around that time/date
- Look at events from multiple source to piece
together what might have happened - Determine most likely source of the attack
- Hacker using a password attack or buffer overflow
- Customer using privilege escalation
- Employee using special access
- Do not rule out any attack vector out
65Forensics Basics
- If you discover an attack, take a baseline of
your system - Preserve the evidence
- Secure the audit trail
- Clearly, this is easier with auditing
enabledwith no auditing, your recourse in the
event of an attack is somewhat constrained - Examine systems for active and sleeping files
- Attacks come in all flavorsthey can come in,
test a few things or they can steal whole
databases. Orthey can just put an exe file in
the database and wait. Look for everything.
Everywhere. - Use tools and automation to simplify this process
when possibleits a big task and can be
daunting. - Stay vigilant
- One thing that has been an increasing trend in
recently revealed attacksthey come back.
Sophisticated hackers often test, drill and mine
systems for months.
66Database Forensics
- The database can provide valuable forensic
evidence in case of a suspected breach - Identify before and after data values
- Recover deleted data
- Examine structural and data changes
- Prove if indeed there was a breach
- Determine the scope of the damage / loss
- Capabilities are significantly augmented with a
3rd party database activity monitoring system - Native database auditing can be a big help too
67Oracle Forensic Data Sources
- Within ORACLE_HOME/admin/
- pdump/alert_.log
- cdump/core.log raw stack dumps resulting
form buffer overflow attacks - Look for malicious payload in this file
- Groupings of attacks
- udump/_s001_4382.trc user trace file might
contain user errors - Within ORACLE_HOME/network/log
- Listener.log file contains connections to the
listener service - Agntsvrc.log, etc contains logs on components of
database - Files may be anywhere on the system
- Sqlnet.log files show network traffic from the
client - SQLNet trace files cli_3736.trc
68MS SQL Forensic Data Sources
- Active Database Data
- Sessions, Users, Requests, Memory Contents
- Transaction Logs
- \Program Files\Microsoft SQL Server\MSSQL\Data\.l
df - View changes and who made them (DDL and DML
statements) - SQL Server Error Logs
- \Program Files\Microsoft SQL Server\MSSQL\LOG\ERRO
RLOG - Logins, Logouts and Failed Logins (includes
source IP) - Database Starting and Stopping
- SQL Server Trace Files (if present)
- \Program Files\Microsoft SQL Server\MSSQL\LOG\.tr
c - Detailed listing of SQL Statements
69How Do You Secure Databases?
Apply the vulnerability management lifecycle...
- Prioritize based on vulnerability, threat, and
asset classification data - Document security plan
- Inventory assets
- Identify vulnerabilities
- Develop baseline
- Eliminate high-priority vulnerabilities
- Establish controls
- Demonstrate progress
- Monitor known vulnerabilities
- Watch unpatched systems
- Alert other suspicious activity
69
70How Do You Address These Vulnerabilities?
- Start with a Secure Configuration
- Stay Patched
- Stay on top of all the security alerts and
bulletins - Defense in Depth / Multiple Levels of Security
- Regularly scan your databases for vulnerabilities
- Fix the problems reported!
- Implement database activity monitoring
- and database intrusion detection
- Especially if you cant stay patched!
- Encryption of data-in-motion / data-at-rest
70
71Best Practices Provided by Database Vendors
Notable Third Parties
- Oracle
- Oracle9i Security Checklist
- otn.oracle.com/deploy/security/oracle9i/index.html
- Oracle Project Lockdown
- www.oracle.com/technology/pub/articles/project_loc
kdown/index.html - Oracle Security Checklist
- www.oracle.com/technology/deploy/security/pdf/twp_
security_checklist_db_database.pdf - SANS Institute (SysAdmin, Audit, Network,
Security) - Oracle Database Checklist
- www.sans.org/score/checklists/Oracle_Database_Chec
klist.doc - Microsoft
- 10 Steps to Secure SQL Server
- www.microsoft.com/sql/techinfo/administration/20
00/security/securingsqlserver.asp - SQLSecurity.com
- SQLSecurity Checklist
- www.SQLSecurity.com
71
72Database Security Info from AppSecInc
- White Papers
- http//www.appsecinc.com/techdocs/whitepapers/rese
arch.shtml - Database Activity Monitoring
- Search Engines Used to Attack Databases
- Introduction to Database and Application Worms
- Hunting Flaws in Microsoft SQL Server
- Presentations
- http//www.appsecinc.com/techdocs/presentations.sh
tml - Protecting Databases
- Hack-Proofing MySQL, IBM DB2, Oracle9iAS
- Writing Secure Code in Oracle
- Security alerts
- www.appsecinc.com/resources/mailinglist.html
72
73Thank You
- Questions?
- Vulnerabilities?
- Locking down the database?
- Email our security experts at
- asktheexpert_at_appsecinc.com
73